third-party risk

16 articles on third-party risk — privacy laws, security frameworks, and regulatory compliance.

Jun 7, 2026

When Your Security Vendor Becomes a Counterintelligence Question: Supply-Chain Integrity, Vendor Concentration, and the Compliance Reckoning Behind Stuxnet, Grim Beeper, and the DIA's 'Critical' Israel Rating

In June 2026 the Defense Intelligence Agency rated Israel a 'critical' counterintelligence threat — its highest designation for any ally — after spywa...

Jun 6, 2026

DentaQuest's 2.6 Million-Record Breach: ShinyHunters, Sun Life, and the HIPAA Questions Every Benefits Administrator Should Be Asking

The extortion group ShinyHunters leaked roughly 234 GB of data tied to DentaQuest, the Sun Life-owned dental benefits administrator, exposing names, d...

Jun 5, 2026

DORA Enforcement Arrives and NIS2 Hits Its October Deadline: The EU Cyber-Resilience Reckoning of 2026

2026 is the year the EU's two flagship cyber-resilience regimes stop being aspirational. DORA enters its first real supervisory enforcement cycle for ...

May 31, 2026

The Q2 2026 Ransomware Wave: Qilin, ShinyHunters, and the Compliance Failures Behind the Salesforce Extortion Campaign

May 2026 saw 95 publicly disclosed ransomware attacks across 17 countries, with Qilin and ShinyHunters leading a campaign that increasingly skips encr...

May 27, 2026

NYC Health + Hospitals Biometric Breach: HIPAA, BIPA, and the Irreversibility Problem

NYC Health + Hospitals confirmed a breach affecting 1.8 million individuals — including fingerprints and palm prints — originating through a third-par...

May 21, 2026

15 Million Records, a $10,000 Fine: The MMG Fusion Settlement and What It Means When Your Business Associate Disappears

HHS OCR settled with MMG Fusion, LLC for $10,000 following a breach that exposed the protected health information of 15 million patients — one of the ...

May 20, 2026

Oncology Institute Vendor Breach: How One Unauthorized Access Event Triggers HIPAA, SEC Disclosure, and Third-Party Risk Obligations Simultaneously

The Oncology Institute disclosed on May 20, 2026 via SEC Form 8-K that a vendor had detected unauthorized access to information systems handling patie...

May 19, 2026

Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credentials for the First Time in 19 Years — What the Data Means for Your Security Program

The 2026 Verizon Data Breach Investigations Report analyzed more than 22,000 confirmed breaches and found that vulnerability exploitation now accounts...

May 7, 2026

Cushman & Wakefield's Vishing-Triggered Breach: ShinyHunters, 500K Salesforce Records, and Third-Party Risk

In late April and early May 2026, Cushman & Wakefield confirmed a cyberattack originating from a voice phishing operation that gave ShinyHunters acces...

Apr 24, 2026

ShinyHunters, Salesforce, and the FERPA Blind Spot: The McGraw-Hill and Rockstar Games Supply Chain Breach

In April 2026, ShinyHunters executed two related but technically distinct supply chain attacks: a Salesforce Experience Cloud misconfiguration at McGr...

Apr 23, 2026

Citizens Bank and Frost Bank: Everest Ransomware's Third-Party Breach and the GLBA Vendor Accountability Gap

On April 20, 2026, the Everest ransomware gang listed both Citizens Financial Group and Frost Bank on its dark web leak site, claiming to hold 3.4 mil...

Apr 21, 2026

The OAuth Governance Gap: What the Vercel and Lovable Incidents Mean for Your Compliance Program

Two high-profile security incidents broke within hours of each other on April 19–20, 2026. Both involved AI platforms. Both exposed real customer data...

Apr 17, 2026

Booking.com's Second GDPR Breach in Five Years: When Repeat Offenders Meet Repeat Violations

Booking.com confirmed hackers accessed customer reservation data in April 2026, raising immediate GDPR 72-hour notification questions — and echoing a ...

Apr 16, 2026

The Adobe BPO Breach: When Your Vendor's Vendor Becomes Your Biggest Compliance Risk

A threat actor known as 'Mr. Raccoon' claims to have stolen 13 million Adobe customer support tickets and 15,000 employee records — not by hacking Ado...

Mar 22, 2026

Ring-Flock Safety Partnership Cancelled: Vendor Risk and Privacy Program Implications

Amazon's Ring cancelled its integration with Flock Safety after public backlash — a case study in vendor risk management, third-party surveillance exp...

Apr 21, 2025

HITRUST CSF: The Gold Standard for Healthcare Data Protection in 2025

Stay ahead of evolving compliance requirements with our comprehensive analysis of 2025 regulatory trends. This guide offers strategic insights and pra...